On 25 May 2018, the General Data Protection Regulation (“GDPR”) will become fully effective for all 28 Member States.
The Bill aims to provide a legal framework “essentially equivalent” to the GDPR so that, following Brexit, the UK will likely offer an adequate level of data protection and therefore be able to receive an adequacy decision by the EU Commission.
Despite its similarity, the UK introduces some conditions and exceptions that modify or supplement the GDPR.
The Bill implements many of core concepts of the GDPR but at the same time the UK government has made a number of agreed modifications to make the Bill working for the benefit of the country.
Among the most interesting modifications there are:
- Sections from 2 to 4 of the Bill that detail exemptions from certain rules of the GDPR for specific circumstances (e.g., processing for crime and taxation purposes, the performance of functions of regulatory bodies or research, historical or statistical purposes, etc.);
- Section 8 of the Bill which allows children from the age 13 to consent to their personal data being processed without parental consent (13 years is the lowest age of consent permitted by the GDPR);
- Section 162 that outlines a brand new criminal offence that applies if an organisation knowingly or recklessly re-identifies information that is “de-identified” personal data, without the consent of the data controller responsible for de-identifying the data. According to the explanatory notes, such provision aims specifically at avoiding the re-indentification of anonymized special categories of persona data (e.g., data relating to health) but it might be extended to other fields such as the re-identification of data collected thorough analytics.
Finally, in order to ensure effective compliance with the legislation, the Bill provides additional powers for the Information Commissioner’s Office (“ICO”), who will continue to regulate and enforce data protection law. The Bill allows the ICO to levy higher administrative fines on data controllers and data processors for the most serious data breaches, up to £17m (€20m) or 4% of global turnover.
The ability to transfer data across international borders is crucial to a well-functioning economy.
The discussion of the Bill in the House of Lords just represents the first step of the UK data protection reform, thus there may be still room for changes. The aim of the Bill is to ensure that data flows continue between the UK and the EU after the Brexit, e.g., seeking the European Commission adequacy decision. The effect of such a decision is that personal data can flow from the EU countries and three EEA member countries (Norway, Liechtenstein and Iceland) to a third country (like the UK after the Brexit) without any further safeguard being necessary.
Given the similarity of the Bill with the GDPR businesses can surely continue with their GDPR-based compliance process.
We will continue to monitor the further development of the legislative process, which are also available here.